Focus on Microsoft
customer user accounts and internal user accounts on same domain Jan 26 2009 08:02PM
Stegman, Bill (Bill Stegman crump com) (5 replies)
Re: customer user accounts and internal user accounts on same domain Jan 29 2009 12:31PM
Kevin Tunison (ktunison gmail com) (1 replies)
On Mon, Jan 26, 2009 at 8:02 PM, Stegman, Bill <Bill.Stegman (at) crump (dot) com [email concealed]> wrote:
> Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. I cited reasons such as;
> A clear demarc between customer accounts and our own accounts
> Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result
>
> They want to extend a service we offer to our internal employees to a partner. I suggested creating an extranet and using accounts from a separate domain rather than our own, but there is additional overhead imposed by such as design.duh.but I'm hoping to throw out an established standard or something to help my argument.
>

The partner, if on a 2003 domain also, you can both upgrade your DCs
to 2003 R2 and utilize Federated Services. It exists for this
specific reason (allowing a semi-trusted domain/partner access to
selected resources). The whitepaper from MS is here:
http://www.microsoft.com/windowsserver2003/r2/identity_management/adfswh
itepaper.mspx

Specific reasons?

Amount of time to run and verify a security audit in the event of a data breach.

Amount of time to set up individual VPNs for each of their users
(allowing a partner-connection without knowing who is on the other end
leaves no specific liability, they could easily hire hacker Joe and
not realize until the damage is done) on top of creating specific user
accounts. I often hear the argument, we'll just give them their own
logins.. which quickly becomes shared login details in reality because
it's remembering more than one login.

Once ADFS is setup, it's no longer taking the time to create a new
domain account (which potentially costs CALs btw), but to grant
access.

Warm Regards,

Kevin Tunison MCSA, MCTS:SQL 2005
http://www.getbusinessconfident.com

[ reply ]
Re: customer user accounts and internal user accounts on same domain Feb 04 2009 03:17PM
pryorda pryor (pryordasspam gmail com)
R: customer user accounts and internal user accounts on same domain Jan 28 2009 07:12PM
Vega - Brunello Ivan (I Brunello vegaspa it)
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 10:56AM
James D. Stallard (james leafgrove com)
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 09:45AM
Davies, Alan (GE Money) (AlanJ Davies ge com) (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus